The 4.5.1 release also addresses several regressions and usability issues discovered during the 4.5 release. The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name. This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.
We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well.
With this release, 4.0 users will now be updated automatically to the 4.5 series.
Note to MacOS users: The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic. You will be instructed to perform a manual download instead. Moreover, as of this release, 32 bit Macs are now officially unsupported. For more information, see the original end-of-life blog post.
Here is the list of changes since 4.5:
- All Platforms
- Update Firefox to 31.7.0esr
- Update meek to 0.18
- Update Tor Launcher to 0.2.7.5
- Translation updates only
- Update Torbutton to 220.127.116.11
- Bug 15837: Show descriptions if unchecking custom mode
- Bug 15927: Force update of the NoScript UI when changing security level
- Bug 15915: Hide circuit display if it is disabled.
- Translation updates
- Bug 15945: Disable NoScript's ClearClick protection for now
- Bug 15933: Isolate by base (top-level) domain name instead of FQDN
- Bug 15857: Fix file descriptor leak in updater that caused update failures
- Bug 15899: Fix errors with downloading and displaying PDFs
- Bug 15872: Fix meek pluggable transport startup issue with Windows 7
- Build System
- Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
- Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Tor has hired two new people— a Project Manager and a Director of Communications—to help the group stay on track, build its user base, and explain its work to the world.
Isabela Bagueros is the new project manager at Tor. She is joining Tor to coordinate its development teams and help them define their roadmaps, keep track of priorities, and ensure that Tor is always thinking “user first” while building things.
Isabela is from Brazil, where in the late 1990s she started to play with free software; in the early 2000s, she joined the information democratization movement that was growing quickly with the increase of Internet access around the world.
Isabela has volunteered with Indymedia, SFCCP (San Francisco Community Colocation Project), and other free software/hacker collectives around the world. She worked for Brazil’s Federal Government at the Ministry of Communications digital inclusion program, and later coordinated the project to migrate Presidential Palace IT infrastructure to free software. Before joining Tor, she was a Product Manager at Twitter, where she worked for over four years on the Internationalization and Growth teams, respectively.
Bagueros says that she has been a Tor user “since I can't remember” and she strongly believes in the right to privacy and keeping the Internet free, as in “Liberdade.”
Said Tor Project interim Executive Director Roger Dingledine, “Isabela’s background in the free software community has let her get up to speed on our work really quickly, as well as adapt to our communications and development styles."
“We have many different projects going on at once, and we rely on Isabela to help prioritize and schedule them so we can keep our funders and other communities involved and informed about our progress. Not only do we value her organizational prowess, but she also has a background in helping to make technology more usable by ordinary people, so we're excited to have her play a larger role in getting Tor to a wider audience,” said Dingledine.
Kate Krauss is Tor’s first Director of Communications, where she is sharing news about Tor’s unique technical projects with the outside world.
Kate will also be reaching out to groups of human rights activists to teach them about Tor, and is studying efforts to restrict privacy in countries across the globe. She also hopes to launch Tor Journalist Camp, where journalists who cover Tor can learn about the technical workings of the Tor Network, Tor hidden services, and Tor’s many other projects—and the ideas about privacy that underpin them.
Kate was an early member of the activist group ACT UP, where she led a California statewide coalition that doubled funding for an AIDS medication fund and spurred the reorganization of the state’s HIV funding priorities. One of the first US activists to embrace international AIDS advocacy, she was a key US strategist behind the campaign to get AIDS drugs into African countries in the late 1990s.
As director of the small advocacy group the AIDS Policy Project, Kate organized successful campaigns that freed a number of human rights defenders in China. Her work also helped secure some $90 million in aid for China's HIV/AIDS programs from the Global Fund to Fight AIDS, TB, and Malaria. Later, at Physicians for Human Rights, her media work supported the successful campaign to reauthorize the $48 billion President’s Emergency Plan for AIDS Relief.
Kate began her anti-censorship career in an anonymous art collective covered in ARTFORUM, ARTNews, and Newsweek, as Girl #1. She became interested in information security issues while helping Chinese human rights defenders who were being surveilled.
She has placed front-page articles in the New York Times, the Washington Post, the Wall Street Journal, and other major outlets and has written opinion pieces for the Washington Post, the International Herald Tribune, and other newspapers.
Said Dingledine, “There are so many journalists out there who are excited about Tor but don't know where to start. Having Kate helps us keep them informed and coordinated. As Tor continues to go mainstream, her communication skills are critical to helping us get there. Tor’s wide diversity of users--from civic-minded individuals and ordinary consumers to activists, journalists, and companies—is part of its security. Kate is critical to helping us reach all of these audiences at once.”
Tails, The Amnesic Incognito Live System, version 1.4, is out.
We disabled in Tails the new circuit view of Tor Browser 4.5 for security reasons. You can still use the network map of Vidalia to inspect your circuits.
Tails OpenPGP Applet now has a shortcut to the gedit text editor, thanks to Ivan Bliminse.
Paperkey lets you print a backup of your OpenPGP secret keys on paper.
Upgrades and changes
Tor Browser 4.5 protects better against third-party tracking. Often when visiting a website, many connections are created to transfer both the content of the main website (its page, images, and so on) and third-party content from other websites (advertisements, Like buttons, and so on). In Tor Browser 4.5, all such content, from the main website as well as the third-party websites, goes through the same Tor circuits. And these circuits are not reused when visiting a different website. This prevents third-party websites from correlating your visits to different websites.
Tor Browser 4.5 now keeps using the same Tor circuit while you are visiting a website. This prevents the website from suddenly changing language, behavior, or logging you out.
Disconnect is the new default search engine. Disconnect provides Google search results to Tor users without captchas or bans.
Better support for Vietnamese in LibreOffice through the installation of
Disable security warnings when connecting to POP3 and IMAP ports that are mostly used for StartTLS nowadays.
Support for more printers through the installation of
Upgrade Tor to 0.2.6.7.
Upgrade I2P to 0.9.19 that has several fixes and improvements for floodfill performance.
Remove the obsolete #i2p-help IRC channel from Pidgin.
Remove the command line email client
There are numerous other changes that might not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.
Make the browser theme of the Windows 8 camouflage compatible with the Unsafe Browser and the I2P Browser.
Remove the Tor Network Settings... from the Torbutton menu.
Better support for Chromebook C720-2800 through the upgrade of
Fix the localization of Tails Upgrader.
Fix the OpenPGP key servers configured in Seahorse.
Prevent Tor Browser from crashing when Orca is enabled.
Claws Mail stores plaintext copies of all emails on the remote IMAP server, including those that are meant to be encrypted. If you send OpenPGP encrypted emails using Claws Mail and IMAP, make sure to apply one of the workarounds documented in our security announcement.
See the current list of known issues.
Download or upgrade
Go to the download page.
What's coming up?
The next Tails release is scheduled for June 30.
Have a look to our roadmap to see where we are heading to.
Do you want to help? There are many ways you can contribute to Tails. If you want to help, come talk to us!
Tor 0.2.7.1-alpha is the first alpha release in its series. It includes numerous small features and bugfixes against previous Tor versions, and numerous small infrastructure improvements. The most notable features are several new ways for controllers to interact with the hidden services subsystem.
You can download the source from the usual place on the website. Packages should be up in a few days.
NOTE: This is an alpha release. Please expect bugs.Changes in version 0.2.7.1-alpha - 2015-05-12
- New system requirements:
- Tor no longer includes workarounds to support Libevent versions before 1.3e. Libevent 2.0 or later is recommended. Closes ticket 15248.
- Major features (controller):
- Add the ADD_ONION and DEL_ONION commands that allow the creation and management of hidden services via the controller. Closes ticket 6411.
- New "GETINFO onions/current" and "GETINFO onions/detached" commands to get information about hidden services created via the controller. Part of ticket 6411.
- New HSFETCH command to launch a request for a hidden service descriptor. Closes ticket 14847.
- New HSPOST command to upload a hidden service descriptor. Closes ticket 3523. Patch by "DonnchaC".
As of May 8, 2015, the Tor Cloud project has been discontinued.
The Tor Cloud project gave people a user-friendly way of deploying bridges on the Amazon EC2 cloud computing platform to help users access an uncensored Internet. By setting up a bridge, they would donate bandwidth to the Tor network and help improve the safety and speed at which users can access the Internet.
The main reason for discontinuing Tor Cloud is the fact that software requires maintenance, and Tor Cloud is no exception. There is at least one major bug in the Tor Cloud image that makes it completely dysfunctional (meaning that users could not use this particular service to access the Internet), and there are over a dozen other bugs, at least one of them of highest priority. Probably as a result of these bugs, the number of Tor Cloud bridges has steadily declined since early 2014.
We have tried to find a new maintainer for Tor Cloud for months, but without success. There have been offers to send us patches, but we couldn't find a Tor person to review and approve them. We encourage everyone who stepped up to start their own cloud bridges project under another name ("Onion Cloud"?), possibly forking the existing Tor Cloud code that will remain available. Tor Cloud is still a good idea, it just needs somebody to implement it.
If people still want to help users access an uncensored Internet, there remain plenty of ways to help. For example, it's still possible to spin up an instance on Amazon EC2 or any other cloud computing platform and install a Tor bridge manually. Or people can donate to organizations that run Tor relays and bridges like Torservers.net or their partner organizations.
Note that discontinuing the Tor Cloud project has no effect on existing Tor Cloud instances. Whenever one of those instances was started, a template of the operating system and settings was copied, and removing the template has no effect on the copies.
Sorry for any inconvenience caused by this.
Sue Gardner, the former executive director of the Wikimedia Foundation, has been advising Tor informally for several months. She attended Tor's most recent in-person meeting in Valencia in early March and facilitated several sessions. Starting today, and for about the next year, Sue will be working with us to help The Tor Project develop a long-term organizational strategy. The purpose of this strategy project is to work together, all of us, to develop a plan for making Tor as effective and sustainable as it can be.
Sue is a great fit for this project. In addition to being the former executive director of Wikimedia, she has been active in FLOSS communities since 2007. She's an advisor or board member with many organizations that do work related to technology and freedom, including the Wikimedia Foundation, the Sunlight Foundation, the Committee to Protect Journalists, and Global Voices. She has lots of experience developing organizational strategy, growing small organizations, raising money, handling the media, and working with distributed communities. She's a proud recipient of the Nyan Cat Medal of Internet Awesomeness for Defending Internet Freedom, and was recently given the Cultural Humanist of the year award by the Harvard Humanist Association.
We aim for this project to be inclusive and collaborative. Sue's not going to be making up a strategy for Tor herself: the idea is that she will facilitate the development of strategy, in consultation with the Tor community and Tor stakeholders (all the other people who care about Tor), as much as possible in public, probably on our wikis.
Sue's funding for this project will come via First Look Media, which also means this is a great opportunity to strengthen our connections to our friends at this non-profit organization. (You may know of them because of The Intercept.)
As she does the work, she'll be asking for participation from members of the Tor community. Please help her as much as you can.
I'm excited that we're moving forward with this project. We welcome Sue as we all work together to make security, privacy, and anonymity possible for everyone.
Welcome to the eighteenth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.
Tor Project, Inc. appoints Interim Executive Director
Following the departure of the Tor Project, Inc.’s Executive Director, Andrew Lewman, the board of directors has appointed Roger Dingledine as Interim Executive Director, and Nick Mathewson as Interim Deputy Executive Director, until long-term candidates for these roles are found. Roger and Nick are both co-founders and lead developers of Tor, and need no introduction here — but you can watch Roger’s conversation with the National Science Foundation and (if you read Spanish) take a look at Nick’s recent interview with El País to learn a bit more about who they are and what inspires them to work on Tor.
Monthly status reports for April 2015
The wave of regular monthly reports from Tor project members for the month of April has begun. George Kadianakis released his report first (offering updates on onion service research), followed by reports from Yawning Angel (reporting on pluggable transport research and core Tor hacking), Sherief Alaa (on support work, documentation rewrites, and testing), David Goulet (on onion service and core Tor development), Nick Mathewson (on core Tor development and organizational work), Leiah Jansen (on graphic design and branding), Pearl Crescent (on Tor Browser and Tor Launcher development and testing), Jacob Appelbaum (on advocacy and outreach), Griffin Boyce (on security research and Satori/Cupcake development), Damian Johnson (on Stem development and coordinating Tor Summer of Privacy), Georg Koppen (on Tor Browser Development and build system research), Juha Nurmi (on ahmia.fi development and Tor outreach), and Israel Leiva (on the GetTor project).
Mike Perry reported on behalf of the Tor Browser team, giving details of the 4.5 release process, significant security enhancements, and work to ensure that the wider Internet community takes the Tor network into account when developing standards and protocols.
Isis Lovecruft announced the release and deployment of version 0.3.2 of BridgeDB, the software that handles bridge address collection and distribution for the Tor network. Notable changes include the setting of obfs4 as the default pluggable transport served to users, better handling of clients from the same IPv6 address block, and the exclusion of broken bridge lines from the database.
Tom Ritter shared a slide deck offering “a 100-foot overview on Tor”: “Before I post it on twitter or a blog, I wanted to send it around semi-publicly to collect any feedback people think is useful.”
Moritz Bartl announced the Tor-BSD Diversity Project, which aims to mitigate the risks that the “overwhelming GNU/Linux monoculture” among Tor relay operators might pose to the security of the Tor network: “In a global anonymity network, monocultures are potentially disastrous. A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity.”
David Fifield published the regular summary of costs incurred by the infrastructure for meek in April, detailing a large increase in simultaneous users over the last month (from 2000 to 5000), and the possible effects of a larger meek userbase on the Tor Metrics portal’s bridge user graphs.
John Brooks suggested that, when the “next-generation onion services” proposal is implemented, there will no longer be any reason to use both introduction points and hidden service directories when establishing connections between Tor clients and onion services. Calculating introduction points in the same way that HSDirs would be selected may have “substantial” benefits: “Services touch fewer relays and don’t need to periodically post descriptors. Client connections are much faster. The set of relays that can observe popularity is reduced. It’s more difficult to become the IP of a targeted service.” See John’s proposal for a detailed explanation, and feel free to send your comments to the tor-dev mailing list.
This issue of Tor Weekly News has been assembled by Harmony, Roger Dingledine, and Karsten Loesing.
Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!
Donncha O'Cearbhaill is one of Tor's new Summer of Privacy students. We asked him about his plans for the summer.
1. Why are you interested in working on Free software?
I'm delighted to be able to contribute back to the Free software community which has provided me with so many of the tools and systems I use daily. It's reassuring to know that any software that I write for the Tor Project will always be available for people to use, modify, and redistribute.
2. Describe your project to a lay reader--How will it work, and who will it help?
Most large web services distribute the requests to their sites across multiple servers so as to better handle the load from their users. However, at present, Tor onion (hidden) services are limited to routing all their traffic via Tor running on a single server. This is becoming a bottleneck for popular hidden services and is causing difficulty in growing to more users.
My project aims to implement a tool that will allow onion service operators to distribute connections to their services across multiple back-end servers. For users, I hope this will allow their favourite services to become faster and more reliable.
As a bonus, the project should allow operators to further increase the security of the services by allowing private keys to be stored away from the computer hosting their actual onion service / website.
3. What do you hope to get out of the Tor Summer of Privacy?
I've really enjoyed my interactions with the Tor community over the past few months. Over the summer, I hope to provide something of value and give back to the community. As I don't have a formal computer science background, I'm also looking forward to working with my mentors to improve the standard of my software design and development and generally gain more experience.
4. Who are your heroes--if you have any--in internet freedom software?
The work of many people in the Internet freedom community inspires me. I'm particular grateful to people such as Edward Snowden, Julian Assange, and Jeremy Hammond who have made massive sacrifices to try to bring light to the expanding surveillance state.
I'm inspired by the free software developers and advocates everywhere who continue trying to doing something about it.
5. Where do you go to school and what are you studying?
I'm just finishing my degree in Medicinal Chemistry in Trinity College, Dublin, Ireland. My exams run over the next few weeks and after that I'm looking forward to hacking on some code rather than molecules.
6. Anything else you'd like to say?
I'd like to thank the Tor Project for accepting me into Summer of Privacy program, and thank all in the Tor community for being so welcoming to me so far.